ctxis / django-admin-view-permission Goto Github PK

Hi,

Very helpful package.I have a issue here. I enabled view permission for my custom user model. This model is also connected to profile model via one to one relation. Now if i assign a user view permission of custom user model and change permission of profile model, my admin still shows the profile inline as readonly.

Is this something that can be taken care of in this great package?

In admin, when using a add user model form raises a key error:

Request Method: | GET
http://127.0.0.1:8000/admin/auth/user/add/
KeyError: 'password'

Hi,
I have 500 error when opening admin details page, having view permission only and prepopulated_fields = {'slug': ('name',)}
Django==1.11.6

Traceback:

File "/path/local/lib/python2.7/site-packages/django/core/handlers/exception.py" in inner
  41.             response = get_response(request)

File "/path/local/lib/python2.7/site-packages/django/core/handlers/base.py" in _get_response
  187.                 response = self.process_exception_by_middleware(e, request)

File "/path/local/lib/python2.7/site-packages/django/core/handlers/base.py" in _get_response
  185.                 response = wrapped_callback(request, *callback_args, **callback_kwargs)

File "/path/local/lib/python2.7/site-packages/django/contrib/admin/options.py" in wrapper
  551.                 return self.admin_site.admin_view(view)(*args, **kwargs)

File "/path/local/lib/python2.7/site-packages/django/utils/decorators.py" in _wrapped_view
  149.                     response = view_func(request, *args, **kwargs)

File "/path/local/lib/python2.7/site-packages/django/views/decorators/cache.py" in _wrapped_view_func
  57.         response = view_func(request, *args, **kwargs)

File "/path/local/lib/python2.7/site-packages/django/contrib/admin/sites.py" in inner
  224.             return view(request, *args, **kwargs)

File "/path/local/lib/python2.7/site-packages/adminsortable/admin.py" in change_view
  268.             form_url='', extra_context=extra_context)

File "/path/django-admin-view-permission/admin_view_permission/admin.py" in change_view
  313.             request, object_id, form_url, extra_context)

File "/path/local/lib/python2.7/site-packages/django/contrib/admin/options.py" in change_view
  1511.         return self.changeform_view(request, object_id, form_url, extra_context)

File "/path/local/lib/python2.7/site-packages/django/utils/decorators.py" in _wrapper
  67.             return bound_func(*args, **kwargs)

File "/path/local/lib/python2.7/site-packages/django/utils/decorators.py" in _wrapped_view
  149.                     response = view_func(request, *args, **kwargs)

File "/path/local/lib/python2.7/site-packages/django/utils/decorators.py" in bound_func
  63.                 return func.__get__(self, type(self))(*args2, **kwargs2)

File "/path/local/lib/python2.7/site-packages/django/contrib/admin/options.py" in changeform_view
  1408.             return self._changeform_view(request, object_id, form_url, extra_context)

File "/path/local/lib/python2.7/site-packages/django/contrib/admin/options.py" in _changeform_view
  1473.             model_admin=self)

File "/path/local/lib/python2.7/site-packages/django/contrib/admin/helpers.py" in __init__
  45.         } for field_name, dependencies in prepopulated_fields.items()]

File "/path/local/lib/python2.7/site-packages/django/forms/forms.py" in __getitem__
  164.                     ', '.join(sorted(f for f in self.fields)),

Exception Type: KeyError at /molly/product/product/679/change/
Exception Value: u"Key 'slug' not found in 'ProductForm'. Choices are: ."

Hello,
I have the following problem: I installed this package with django version 1.11.5 and after adding it to the INSTALLED_APPS array on the admin site I do not see users or groups, could you please help me to solve this problem?

Users with "change" permissions see "delete selected" action in drop down. When they submit this action, they get 403 error, but I think they should not even see it.

View permissions don't have logs? Is there any way to check who has seen what?

Looks great, but when I call to a related model, it only shows the code:
Vocabulary in General [u'10']

and it doesn't expand the inline Questionaire.
Installed:
Django 1.8.6,
Python 2.7,
Grappelli 2.7.1,
ckeditor 4.4.8 - used for Questionnaire,
MultiSelectField 0.1.3 - used for Summary

Here's my admin.py:

class EvaluationAdmin(admin.ModelAdmin):
    fieldsets = [
        ('Scheduling Info',    {'fields': [('candidate'), ('user', ), ('status'), ('source'), ('sourcename')]}),
        ("Questionnaire", {"classes": ("placeholder evaluationresponse_set-group",), "fields" : ()}),
        ("Feedback", {"classes": ("placeholder evaluationscore-group",), "fields" : ()}),
        ('Comments', {'fields': [('comments')]}),
        ('Summary', {'fields': [('grammar', ), ('conversation'), ('pronunciation'), ('confidence'), ('level')]}),
    ]

Here are my models:

class Evaluation(models.Model):
    xRATING = (
       ("E", "Excellent "),
       ("VG", "Very Good "),
       ("G", "Good "),
       ("R", "Regular "),
       ("N", "Needs Improvement "),
       ("P", "Poor "),
    )
    grammar= models.CharField(choices=xRATING, max_length=30, blank=True, null=True, verbose_name='Applied Grammar')

class EvaluationScore(models.Model):
    xSCOREMSGS1 = (
        (10, "Excellent amount of vocabulary."),
        (11, "Good amount of vocabulary.  Always room for improvement."),
        (12, "Needs to acquire more vocabulary to express ideas better."),
        (13, "Used some false cognates."),
        (14, "Does not have sufficient vocabulary to express ideas; used several false cognates or invented words, used Spanish."),
    )
   vocabulary_general= MultiSelectField(choices=xSCOREMSGS1, max_length=30, blank=True, null=True, verbose_name='Vocabulary in General')

And here's my form:

class EvaluationResponseform(forms.ModelForm):
    response = forms.CharField(widget=CKEditorWidget(),
        label=mark_safe("<normal><br/><br/><br/>Are you currently living in a house or in an apartment?"), required=False,)

    class Meta:
        model = EvaluationResponse
        fields = ('response',)

If user has view but not change perm, deleting using the action menu will raise a KeyError here https://github.com/ctxis/django-admin-view-permission/blob/master/admin_view_permission/admin.py#L300

Affects Django 1.11.8

Hi,

This package override models' meta permissions attribute so any custom permissions will not apply.

It would be nice that the view permission is added to permissions attribute rather than overridden.

Is it expected behaviour that if a User has view and delete permissions, that they won't be able to delete? i.e. there is still a predicate that a user requires change to add or delete models?

I have a custom action, eg: publish_article. And i want users with only view permission to perform this action. However, this package gives no actions for users with only view permission. I think this is not reasonable.

related code: admin_view_permission/admin.py, line 208:

        # If the user doesn't have delete permission return an empty
        # OrderDict otherwise return only the default admin_site actions
        if not self.has_delete_permission(request):
            return OrderedDict()

The offending code is https://github.com/ctxis/django-admin-view-permission/blob/master/admin_view_permission/admin.py line 339, at least in my case the form has two password fields: password1 and password2

this is part of the rendered form

<div class="form-row field-password1">
 <div>
   <label class="required" for="id_password1">Password:</label>
   <input type="password" name="password1" id="id_password1" required />
   </div>
   </div>
   <div class="form-row field-password2">
   <div>
   <label class="required" for="id_password2">Password confirmation:</label>
   <input type="password" name="password2" id="id_password2" required />
   <div class="help">Enter the same password as before, for verification.</div>
   </div>
   </div>

Hi there,

when installing the package via pip or manually by executing setup.py the management command is not installed?
Could you change the packages information in setup.py?

Hi guys, i was looking around the django packages site if there was any way to add view permissions, then i came across your app. Am looking to create a youtube tutorial around your app and just wanted to reach out to you guys if its ok to reference your app in the event it meets my needs of cause full credit goes to you guys the authors.

Hi, this library is not compatible with Django 2.1 raising the following error during migration with SQLite:

The problem exits in PyPI and master version of the lib

Traceback (most recent call last):
  File "C:\GITPRO~1\FEEDCR~1.IO\venv\lib\site-packages\django\db\backends\utils.py", line 88, in _execute
    return self.cursor.execute(sql, params)
  File "C:\GITPRO~1\FEEDCR~1.IO\venv\lib\site-packages\django\db\utils.py", line 89, in __exit__
    raise dj_exc_value.with_traceback(traceback) from exc_value
  File "C:\GITPRO~1\FEEDCR~1.IO\venv\lib\site-packages\django\db\backends\utils.py", line 88, in _execute
    return self.cursor.execute(sql, params)
  File "C:\GITPRO~1\FEEDCR~1.IO\venv\lib\site-packages\django\db\backends\sqlite3\base.py", line 296, in execute
    return Database.Cursor.execute(self, query, params)
django.db.utils.IntegrityError: UNIQUE constraint failed: auth_permission.content_type_id, auth_permission.codename

I found that replacing the following in admin_view_permission/apps.py solves the issue:

def update_permissions(sender, app_config, verbosity, apps=global_apps,
                       **kwargs):
    settings_models = getattr(settings, 'ADMIN_VIEW_PERMISSION_MODELS', None)

    # TODO: Maybe look at the registry not in all models
    for app in apps.get_app_configs():
        for model in app.get_models():
            view_permission = 'view_%s' % model._meta.model_name
            if settings_models or (settings_models is not None and len(
                    settings_models) == 0):
                model_name = get_model_name(model)
                if model_name in settings_models and view_permission not in \
                        [perm[0] for perm in model._meta.permissions]:
                    model._meta.permissions += (
                        (view_permission,
                         'Can view %s' % model._meta.model_name),)
            else:
                if view_permission not in [perm[0] for perm in
                                           model._meta.permissions]:
                    model._meta.permissions += (
                        ('view_%s' % model._meta.model_name,
                         'Can view %s' % model._meta.model_name),)

by this:

def update_permissions(sender, app_config, verbosity, apps=global_apps, **kwargs):
    return

Do you think the fix is correct without any side-effect ?

Apart from passing the request into the form and checking user permissions, is there a way to determine that the current changepage is view-only?

Hi,

Have you any thoughts on how to handle this long running Django bug?

I'm currently working around this using the custom management command from here, but this does not hook into whatever signaling admin-view-permission does.

Until this bug is resolved, do you see a modification of this mgmt command that would create the view perm?

Somewhat related to #5

Hi,

I have just noticed that fields attribute may look like this: ((attr1, attr2), attr3) according to https://docs.djangoproject.com/en/1.11/ref/contrib/admin/#django.contrib.admin.ModelAdmin.fields .
On the other hand, readonly_fields doesn't support such format and those fields in tuples won't be displayed. I'll provide a PR for this (spent quite a lot of time debugging it). I hope that it'll be clear what's going on there.

The permissions apply to django.contrib.admin.site.
Admn sites that subclass AdminSite and override some properties cannot have the view functionality.

Hi !

There's an ongoing PR to include view permissions into django core : django/django#6734

I just found out about your work here, and since it really aims to do the same thing, I thought you may be interested ?

Bests,

Olivier

After I installed the app, I lost my permission in viewing admin page. I am a superuser.

You don't have permission to edit anything.

Any idea on how to resolve it?

Maybe add a failsafe to prevent this? I think its censored somehow in the normal change form

User with only view permission can still edit and save the model.

All I need to do is to add a submit button to the existing submit row in html and click the button.

I pip installed version f170c3c and added 'admin_view_permission', to INSTALLED_APPS, but no new migrations are showing up when I run showmigrations or migrate. To confirm admin_view_permission is being loaded, when I add a typo to the name and run showmigrations I get an ImportError, as expected. Is there anything I need to do besides adding to INSTALLED_APPS and running migrate?

django 1.9.2
python 3.4.4

I think you have a typo in the README file:

INSTALLED_APPS = [
'amdin_view_permission',
'django.contrib.admin',
...
]
should be: 'admin_view_permission',

also it says Support

Django: 1.8, 1.9
Python: 2.7, 3.4, 3.5

but in the requirements Django==1.9.4

Hi there,

I'm receiving MultiValueDictKeyError from here: admin_view_permission/admin.py in change_view at line 231.

Your help is much appreciated.

I want to use this app to my django 2.0 project.

Hi, thanks for the app.
I meet a bug.
I have few models witn many-to-many relations. In admin I define inline to edit them and relations For example:
class EntityGuideDocumentsInline(admin.TabularInline):
model = Entity.guide_documents.through

Now I want to add view permission.
Even user has permissions to view Entity and GuideDocument models (view_entity and view_guiddocument). He doesn't see inline table, because you expect view_entity_guidedocuments permission. But when we make migration we don't create this permission (permissions for many-to-many inlines).

I hope I describe clear.

django-admin-view-permission is really cool :-)

Something is strange: with read_only -> OK but with get_readonly_fields() -> KO

Here is the detail. With just a view permission on a Model.

(1) when I use the attribute 'readonly_fields' as below

class MyModelAdmin(model.Admin):
    ...
    readonly_fields = (a,b)

The result in the admin "change view" : all the attributes are displayed in readonly (expected).

(2) when I use instead get_readonly_fields(self, request, obj=None)

class MyModelAdmin(model.Admin):
    ...
    def get_readonly_fields(self, request, obj=None):
        return (a,b)

--> all the fields that are in this list (here a,b) are readonly (as expected), but all other fields are read/write (this is unexpected). The rest is ok, no button save, etc.

I'm missing something ?
Thks

• view_form.html: object tool "Change"
• change_form.html: breadcrumb " > Change"

The documentation on how to upgrade to new django and uninstall the view permissions is not quite accurate.

If the view_* permissions are included in a permission group, the delete queryset fails to run. Please update to include a way to additionally remove the permissions from any associated group.

Some call to the init of this class don't pass request in arg[0] but in kwargs maybe you have to make some modification.

What i've done:

class AdminViewPermissionChangeList(ChangeList):
    def __init__(self, request, model, list_display, list_display_links, list_filter, date_hierarchy, search_fields,
                 list_select_related, list_per_page, list_max_show_all, list_editable, model_admin):
        super().__init__(request, model, list_display, list_display_links, list_filter, date_hierarchy, search_fields,
                         list_select_related, list_per_page, list_max_show_all, list_editable, model_admin)

        self.request = request